Specify the log type with additional optional parameters
to retrieve logs from a firewall.
Parameter
Description
log-type
The type of logs to retrieve:
log-type=traffic
—Traffic
logs
log-type=threat
—Threat logs
log-type=config
—Config logs
log-type=system
—System logs
log-type=hipmatch
— GlobalProtect Host
Information Profile (HIP) matching logs
log-type=wildfire
—WildFire logs
log-type=url
—URL filtering logs
log-type=data
—Data filtering logs
log-type=corr
—Correlated event logs
as seen in the user interface within
Monitor
Automated Correlated Engine
Correlated Events
.
log-type=corr-detail
—Correlated event
details as seen in the user interface when you select an event within
Monitor
>
Automated
Correlated Engine
>
Correlated Events
.
log-type=corr-categ
—Correlated events
by category, currently compromised hosts seen within
ACC
Threat Activity
Compromised Hosts
.
log-type=userid
—User-ID logs
log-type=auth
—Authentication logs
log-type=gtp
—GPRS Tunneling Protocol
(GTP) logs
log-type=external
—External logs
log-type=iptag
—IP tag logs
query
(
Optional
) Specify the match criteria
for the logs. This is similar to the query provided in the web interface
under the Monitor tab when viewing the logs. The query must be URL
encoded.
nlogs
(
Optional
) Specify the number of
logs to retrieve. The default is 20 when the parameter is not specified.
The maximum is 5000.
skip
(
Optional
) Specify the number of
logs to skip when doing a log retrieval. The default is 0. This
is useful when retrieving logs in batches where you can skip the
previously retrieved logs.
dir
(
Optional
) Specify whether logs
are shown oldest first (
forward
) or newest
first (
backward
). Default is
backward
.
action
(
Optional
) Log data sizes can be
large so the API uses an asynchronous job scheduling approach to
retrieve log data. The initial query returns a Job ID (
job-id
)
that you can then use for future queries with the
action
parameter:
action=get
—Check status of an active
job or retrieve the log data when the status is
FIN
(finished).
This is slightly different than the asynchronous approach to retrieve
tech support data where a separate status action is available.
action=finish
—Stop an active job.
Not specified
—When not specified, such as during an
initial query, the system creates a new job to retrieve log data.